Spotlight: Tracking a User’s Whereabouts with simplekml

The Spotlight series highlights useful Python libraries and their forensic application.

You’re no doubt aware that major technology companies, like our great benefactor Google, retain a great deal of data regarding their users. It shouldn’t come as much of a surprise considering how important users are to a company’s livelihood. Wouldn’t you want to know, if you could, every detail about your customers and who you do business with to better engage them? And as disturbing as that can be (have you seen Google’s location history timeline?), I think we can all agree that we have wished for similar omniscient-like knowledge in our investigations. I hate to disappoint you, but this isn’t a post about that.

One thing that can give us the appearance of omniscience is a history of the user’s whereabouts. It can be hard, for example, to discount a mobile device’s reported location at the scene of the crime at the time the crime occurred when the user’s alibi places them a few towns over during that same time. In this day and age who do you think you are fooling with the “My phone wasn’t with me” gimmick.

This is the context in which we will be using Python and simplekml to create an effective means of presenting location details with Google Earth. Geolocation data can be extracted by a number of different means: photo EXIF metadata, app-specific data, geolocating Wi-Fi network MAC addresses using services like Wigle, etc. Let’s assume you’ve already used your powers to extract geolocation data from the evidence and have created a CSV like this.

Date (EST)

Longitude

Latitude

Description

03/25/2017 11:23 PM

-96.808950

32.7753462

Reunion Tower Meet up

03/26/2017 03:14 AM

-97.7403505

30.2746652

Texas Capitol Rendezvous

03/26/2017 04:32 AM

-98.104356

29.7383697

Gruene Hall Gathering

03/26/2017 06:00 AM

-98.205692

29.871944

North Park Crime Scene

Without much else, your report, as interesting as the data may be may not generate the same level of interest from others. Especially if many hundreds of coordinates were extracted from the device using a CSV as a report may be difficult to visualize. Let’s simplify things with simplekml and create an easy to understand interactive timeline with Python and Google Earth.

Installing Simplekml

Simplekml is a third-party module compatible with both Python 2.X and 3.X and can be installed a number of ways, the easiest of which is using pip. For this post, we will use the latest version, version 1.3.0, to write some example code and show off basic functionality. Note, to follow along, Google Earth will also need to be installed to open the KML file we generate.

pip install simplekml

Using Simplekml

Let’s start out with the basics and plot our data points into a KML file. The CSV containing our data is called “geolocation_data.csv” in this example. First, after importing the csv and simplekml libraries, we will read in our CSV into a list called csv_data. We use list comprehension to read in the CSV data and store all rows except the header row which starts with the “Date (EST)” column. Next, we create our kml object and use the name keyword argument to set a title for our file. At this point, all that remains is to iterate through each coordinate and use the newpoint() function to plot the data. This function takes a name, a description, and a list containing a tuple representing a longitude and latitude pair.

After naming and saving the KML file, we can readily view it with Google Earth. In the screenshot below, I enabled the “Borders and Labels” checkbox within Google Earth to better represent the data. Simplekml is simple but can be used to do a bit more than just plot data, let’s take this a step further to show some relation between our data points.

In our concocted scenario, these points represent a series of events leading up to a “crime”. We can use the simplekml library to link these points to enhance that connection instead of just plotting points on a map. This too can be accomplished in just a few lines of code. The code below is inserted after we initially plot our points and prior to saving the KML file.

In this new set of code, after plotting each point, we grab the first start time and stop time for our series of points. We will use this in the description of our line to denote the range of time covered. We use the newlinestring() method to create our line object. Notice, we use list comprehension to dynamically create a list of tuples of longitudes and latitudes. After creating this line, we set the width and change the color to red to ensure it stands out. This creates a line in our map connecting all of our points as shown in the photo below.

We can take this one step further and create a guided tour of sorts. The end result will create a video flying between each of our points to enhance the presentation our data. This also helps provide some context to the various data points. As before, this new segment of code is inserted below our first two code snippets but above the save() method.

Creating a tour with simplekml is pretty simple. We need to first create a tour object and give it a name. This tour will show up in Google Earth by the name we assign it. Next, we create a playlist object, where we will add the various events of the tour to this playlist. There are a few types of events you can add to a tour, in this case we are only going to focus on flying between each location with the newgxflyto() method. We iterate through our csv_data list and add the longitude and latitude points to our goto variable. The duration keyword dictates how quickly or slowly the camera goes to each point. We also set the altitude for each point to stay at 1,500 feet above sea level.

This library makes presenting and reviewing GPS data straightforward and easy to understand for technical and non-technical users alike. Imagine being handed the task of reviewing our original input spreadsheet but with thousands of similar looking coordinates. It’d be much easier to map all of those out and review them in a platform like Google Earth. Even better, one could import the datetime module, and plot location paths and / or tours of location points within a certain timeframe of each other to associate sets of coordinates with each other.

If you’d like to see more, check out the simplekml docs for additional details and objects you can use. Is there a forensic task you have been trying to accomplish with Python or a library you want to know more about, please let me know in the comments below.